How do I configure my device to use Radius, two factor authentication? (4256790)

How do I configure my device to use RADIUS, two factor authentication? Will my NAS / VPN network device work with Defender 2FA?

Generally if a device supports full RADIUS and two factor authentication then it should work.

To configure a new radius device:

1. Create and configure an Access Node in AD Users & Computers under the Defender OU | Access Node OU. 

- Right Click in Access Node OU and select New > Defender Access Node

- Use the IP address of the VPN device, (use 255.255.255.255 as the subnet mask), the required port (for example 1812) and a shared secret (passphrase or password). 

- Assign this to the Defender Security Server under the Servers tab and add the required users on the Members tab.

Please refer to the Administration guide for more information which is located here:

https://support.oneidentity.com/defender/technical-documents

2. Modify the Radius settings on the NAS (Network Access Server) /  VPN device to point to the Defender Security Server IP address using the same port and shared secret configured on the access node in step 1 above. If there are protocol options, ensure PAP (Password authentication protocol) is selected. Information on protocol support is available in KB106872

If there is a firewall involved then the required Radius port (For example 1812) between NAS \ VPN device and the Defender Security Server will also need to be opened.

Please note that some NAS devices do not support "full" RADIUS.  We have found that some types of devices allow a Yes/No type of response, which is used for token authentication (i.e. Access Accept or Access Reject packets), but do not allow the ‘more Info’ (i.e. Access Challenge) response.

For example, if the user wants to change a PIN on a token, some extra data needs to be exchanged (between the Defender Security Service and the user via the Defender Access node and Firewall/VPN) for the PIN change to be successful.  In this case ‘more Info’ is required which can be blocked by the firewall/VPN device.  Another example would be if the Access node policy was set to “AD Password” followed by “Token” which would also require the ‘more info’ packet exchanged.